Posted
by
CmdrTaco
on Thursday November 11, 2010 @12:36PM
from the yeah-sorry-'bout-that dept.

adeelarshad82 writes "The Federal Communications Commission is looking into whether Google's Street View Wi-Fi data collection violated the Communications Act. At issue is a May admission from Google that equipment attached to its Street View cars collected data that was traveling over unencrypted Wi-Fi networks, known as payload data. At first Google said it did not know if that data included personally identifiable information, but the company admitted last month that it did include entire e-mail addresses, URLs, and passwords. Google has pledged to work with the FCC."

I was under the impression that amassing and organizing as much information as possible was part of their goal. There's lots of information to be had from router data. Perhaps it really was unintentional that they collected the extra personal information and that they only were interested in SSID, MAC, encryption, etc.

Even giving them the benefit of the doubt and agreeing that the collection of personally identifiable information was an accident, what do they need MAC adresses and SSIDs for? Some kind of searchable database for open WiFi no matter where you are? That's not a lawsuit waiting to happen, no sir...

Just MAC and SSID? Well, you might be interested in the fact that the MAC is pretty much a vendor-specific ID, meaning that in most cases you can correlate the MAC to a vendor and model. What this means is that by collecting MAC addresses you can build a database of router vendors and models.

Manufacturers and retailers will then beat a path to your door to buy that database for marketing purposes. That is the true value of collecting that information.

Duh! It's Street View! You'd think they'd KNOW where they are!:) In all seriousness, they should have used GPS and this would have been a non-issue. Sad thing is, this kind of thing gets people in criminal court but will likely get Google a mere fine.

In all seriousness, they should have used GPS and this would have been a non-issue.

They're not trying to figure out where THEY are. They're collecting data so when I (since I do have an Android device) walk along that same street, my device has another data source to figure out where I am. Google's Streetview vans are zipping along making snapshots. They're also wardriving; recording what WAPs they find and where (via GPS and triangulation). With that data, my device can do some triangulation on several WAP signals and get a pretty decent idea where I am as well.

GPS would give them the same data, though. It's just a matter of being able to use WiFi instead of or to augment GPS data. In short, they had a solution, thought it'd be cool to use another, now are in hot water. It's a moot point. The worse that can happen is that they be forced to dump the data and not use it and be fined. The second worse is to just be fined and somehow sanitize the data and convince the government it's kosher, the least is that they are scolded for doing it and nothing happens. Ultimate

GPS would give them the same data, though. It's just a matter of being able to use WiFi instead of or to augment GPS data. In short, they had a solution, thought it'd be cool to use another, now are in hot water.

Ya know - now that I look at what you wrote, I noticed the emoticon. Humor; ar ar. And so here I am being all serious and unintentionally trolled. Unfortunately, it seems that all kidding aside, there are way too many people who are fearful due to a lack of understanding of the topic(s).

I think you're right; for Google all this is a moot point. But for the rest of us, I think there's a good opportunity to educate the public (and ourselves) on the issues involved. We do that with the full understanding

GPS would give them the same data, though. It's just a matter of being able to use WiFi instead of or to augment GPS data. In short, they had a solution, thought it'd be cool to use another, now are in hot water.

You are misunderstanding the point of collecting the MAC/SSID info. It isn't for their StreetView vehicles to get a location instead of using GPS, it is to build a database that can be used as the basis of a geolocation service that will work for devices without GPS but with Wifi. They've discussed that as the reason for the data collection and they have that service working. It is a highly useful standard part of Android, referred to as "coarse location" and it works with an Android phone's GPS radio off

Except that Skyhook does not send a vehicle through your neighborhood to collect the information, unrequired; they calculate it and store it as part of the location-detection service that the user initiated.

So, if I access Google and request location information, then it's fine for them to catalog my MAC address and Wi-Fi network information in order to properly and accurately provide the service. However, if I don't use Google, I do not want them cataloging my network information, uninvited.

"To develop this database, Skyhook has deployed drivers to survey every single street, highway, and alley in tens of thousands of cities and towns worldwide, scanning for Wi-Fi access points and cell towers plotting their precise geographic locations."

I can't say what they wanted, that's just a guess. A MAC address would at least give away the manufacturer. But that's conjecture. It is possible that someone fudged some code and accidentally collected personal information instead of discarding it. It happens.

They used common off the shelf linux utilities to collect this information. The collected beacon information, wrote it to disk with the current location information.

Rather than a "database" it was a simple flat file of location plus beacon data.

Someone forgot to filter it so that only beacon packets were written.

So in the 5-10 seconds the car was within range of an unencrypted wifi some other data might have been geo-tagged and written.

Don't try to make more of it that it was. It was not a relational database. Its no where near that sophisticated. And google was unaware that they were even collecting the information till they noticed their disk were filling faster than they should. Since all they wanted was Beacon packets they never even looked at the rest.

And guess who reported this to government: Thats right, Google.

No one goes to jail for a harmless mistake.

The only way this data gets sold is when the governments that demanded it for their witch-hunt release it under freedom of information requests.

Now run along and go turn your wireless encryption on and put your tinfoil hat back in the closet.

It was probably easier to record the WiFi and store it as it is than try and outfit all 50,000 vehicles with enough computing power to be able to actually analyze the signal and pull out the MACs and SSIDs. More like it was just recorded on a tape and brought back to a computer center where the tape was then analyzed in a central location.

It was probably easier to record the WiFi and store it as it is than try and outfit all 50,000 vehicles with enough computing power to be able to actually analyze the signal and pull out the MACs and SSIDs. More like it was just recorded on a tape and brought back to a computer center where the tape was then analyzed in a central location.

Tape is quaint.

But, Yes. Anyone with a scientific mindset knows that when you are in a position to collect data is NOT the time to refrain from collecting data. Even if you are 99% certain that you will never want 99% of what you can collect: when you are able to collect the data, collect everything you can. If you are Google, you buy disks by the truckload and you have hired a bunch of people who recently spent what should have been the best years of their lives in labs. They know that you store all t

The software they used was had a log of the traffic data. They did not know about it, they didn't plan to collect it. And the moment they found out about it they told everyone. If they had just silently deleted it no one would have known. But Google felt it was best to be open about their mistake.

The software they used was had a log of the traffic data. They did not know about it, they didn't plan to collect it. And the moment they found out about it they told everyone. If they had just silently deleted it no one would have known. But Google felt it was best to be open about their mistake.

Your last point is highly debatable. Google only went public with this after the German government demanded to audit the data even though Google assured them that no private information was being collected.

No that is wrong. The time line in that story is completely backward (something you would expect from that site).

Google didn't even know what was in the data because they didn't make use of it. Further, they reported that they were collecting beacon data well in advance. The germans only demanded it once google put out its notification to governments that they had accidentally collected other data.

There has been speculation that the software that they were using collects this data by default or that it is an setting that is easy to turn on without realizing it. I really don't get it, this is like complaining that the guy with his finger on the nuclear launch button brought a butter knife to work. For what possible reason would Google collect this information on purpose? The payoff is zilch, and the risk of backlash is huge. Everything points to this just being a stupid accident.

Why would they even REMOTELY think this was a good idea? What's the point of Google collecting this kind of information

I think they proceed from the philosophy of "it's easier to ask for forgiveness than permission". They are, after all, a corporation and therefore unlikely to suffer any penalty worse than a slap on the wrist. Individuals who might face real jail time tend to think it's easier to ask for permission than for forgiveness.

The point of collecting information on wifi hotspots is to do more accurate geospatial targeting. Mapping IPs to lat/long is very coarse, since it maps to your ISP. With a database of wifi hotspot locations you can do much better. And given that they're driving around anyway to take street view photos, it doesn't cost Google anything to collect this data.

Now about recording the text information traversing unprotected hotspots -- which is the part of this that has people concerned -- that apparently was unintended. The explanation given by Google is that they were using some open source library that by default logged this information. Honestly I don't see that it would do them much good to do random packet sniffing like this, so I personally can't see a nefarious motive here although I do know we have some paranoid people in our midst.

Having played with Kismet (which is what Google is using [slashdot.org]), it seems to me that it's really easy to accidentally capture packet payloads. Kismet will dump payloads in to handy pcaps by default.

Wardriving generally sucks for data capture. It's good for surveying (its interesting to see the proliferation of WAPs and secured APs at that... and some people choose really amusing SSIDs). But driving around alters signal strength which means losing packets. You're also channel hopping which means losing packets. If you really want to log people's data, you wardrive first to identify targets then come back and listen to just that (or a very small subset) of targets.

I have a real problem with a technically-minded company like Google "accidentally" logging that kind of information. Even if it was an accident, they need to be punished for that through fines or something (as other companies have been punished for their privacy breaches), and the FTC's ending of its inquiry solely based on Google's promise to do better next time was bullshit.

You have to hold companies with this much power and information accountable. Basically, you have to keep them in line and remind them

Even if it was an accident, they need to be punished for that through fines or something (as other companies have been punished for their privacy breaches)

That's fair enough, although in practice the PR impact of this has hurt Google far more than any fine the government could possibly impose. I'll wager the folks there are taking this very seriously, and that potential fines from regulators have nothing to do with it.

I have a real problem with a technically-minded company like Google "accidentally" logging that kind of information. Even if it was an accident, they need to be punished for that through fines or something

Based on what? Your feelings?

There is very little codified legal privacy protection in the US. The FTC can't invent new law out of thin air and your "problem" with Google. In this specific case, it is hard to argue rationally that Google did anything wrong. They captured unencrypted radio signals using an open standard encoding. The idiot "victims" might as well have been posting all of the captured secrets to a foot-high scrolling LED ticker on the front of their homes. The only meaningful difference i

They didn't think about it at all. They just wanted SSIDs and MACs and the payload data came along for the ride. They obviously didn't think it would be a problem, and why would they? Everything they collected was transmitted in the clear on unregulated spectrum.

"Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data. "

In other words, they did what every other software engineer does: they reused old code to get a job done. This time the code happened to have a bug in it, or rather an unintended consequence, that collected snippets of people's personal information as the vans drove by people's unencrypted wifi connections, which they've since publicly admitted and gone on to delete, or at least they would have deleted it except now they can't because all the lawyers have gotten involved and want to extract money/publicity to themselves by suing Google.

The whole thing is a giant tempest in a teapot. Even worse, it's a major distraction from real, more important, privacy issues.

Why would they even REMOTELY think this was a good idea? What's the point of Google collecting this kind of information

Have you been asleep for the last 6 months?

It was an error, they didn't even know they were collecting it and never used it for anything. They simply filtered out the beacon data to locate wifi hot-spots. None of these wifi hot-spots were encrypted

Google themselves reported this when they discovered they were collecting way more data than they wanted. But even Google didn't look into the data and see what was there.

Governments demanded the data, and THEY began sifting it and gathering email addresses. Now WHO violate the laws? Seems to me the government busybodies sifting thru the data that google never even looked at are the guilty ones.

How in gods name can you be so unaware of the details of this incident after all this time?

Forget the information contained in the networks, even since street-view came out I thought it was a shame they didn't list wifi networks with gps coords, encryption type, signal strength and the detection date. It was neat seeing my house one google maps but I'd be more excited to see my network signal.:P

I was thinking something more along the lines of breaking into their home networks and lifting passwords, credit card numbers and social security numbers, as well as a way to obfuscate their location for an attack of some kind. But yeah...damn the man or whatever.

Hmmm, illegal acts like enabling people to find an available wireless connection without paying ATT or Verizon for it?

Yeah, shame on them how dare they enable people to connect to the internet without paying out the ass for it, just plain un-American!

I'm all for utilizing bandwidth in a cost-effective way. If ATT or Verizon don't like that, too bad for them. Having said that, if someone wants to share your connection (that you pay for, that your name is on) then why can't they ask you first? Seems like common courtesy to me. Then you can give them a password or encryption key and allow them as an authorized user.

It's reasonable to assume that those who don't show that kind of common courtesy are more likely to cause trouble.

Why the hell did this get labelled "troll"?This is FACT... there are lots of cases of this!Or being so financially hurt you can't afford net access, and all you do is view a few websites, and check your mail.Before anyone spouts off about not being able to afford a computer, you can get them at goodwill for $25 sometimes, or off of craigslist for $25-$50.

I suppose that could facilitate some anonymity but that just seems a bit paranoid to me. Why not just use Tor if you want to do your dirty work, no need to even leave the house. And if you don't want your network being used by outsiders, don't allow access... I have a wireless access point from my home available to the public, just to be nice. I just cap it's data usage.:)

I don't think they'll show a list of all networks that are in an area - it would be too easy for a competitor to datamine them then.

What they effectively have is a lookup service:MAC + SSID -> your location to within Wi-Fi range

You'll notice that a lot of Google products are now location enabled - Maps can, if you are using Wi-Fi, determine automatically where you are. Same for Android devices even when GPS and cellular signals are turned off. The data collection efforts in question are how Google prov

If the wifi is open then google can't be in trouble for using the wifi. Whats stopping me from going on my neighbors wifi and using it if it's open. Open Wifi is an invitation to use. Now if google cracked the wifi then ya I can see the FCC being pissed, but they only used open wifi.

As many times as it takes to get it through your thick skull. In Windows, most of the time it falls to the most available wireless network, so you don't actually hack in... it just HAPPENS.I do this all of the time, and I have to switch to the network I want.

If you don't understand it, re-read this until you do. It'll help you in life with lots of different scenarios, trust me.

There's nothing stopping you from driving around town collecting all of your neighbors' discarded bank statements on garbage day - they really should be shredding them, after all. Still, it might raise a few eyebrows.

Why is it illegal for Google to listen as it drives down the street to something you're broadcasting into the street?

Make it illegal to broadcast it into the street in such a way that a normal consumer device won't hear it, THEN you can go after Google if they used something to cheat and listen in on people.

Right now they're being investigated because they drove down the street with a microphone and recorded all the idiots shouting out their private info to anyone willing to listen... without special listening equipment!

I understand making it illegal for someone to use a laser mic to listen to my private in home conversations. I expect anything that normally would not be heard outside my home to be private.

Wifi most certainly is expected to be heard outside the home. Its not something that someone can claim ignorance on, people understand that television broadcasts and radio broadcasts travel many miles, so anyone claiming ignorance just doesn't count as they are too stupid to matter.

I really can't see how you can call google wrong in these case, if you broadcast it over the airwaves, and someone hears it, too damn bad. Encrypt it, or hell at least use WEP, where it might not be actually secure, but at least you can say you made it clear it was not intended for unauthorized parties.

The OP is not using the correct analogy. When someone is standing on a corner of a street and "yelling" things, I do not have a choice but to hear what he's saying (unless I somehow block all his audio), the WiFi signals on the other hand have to be willfully intercepted and recorded, meaning there was INTENT to collect this data that by all standards was probably "assumed" private by those using their WiFi modems for internet.
The law says a "reasonable expectation of privacy" - and I can bet 100% that mo

> Why is it illegal for Google to listen as it drives down the street to something you're broadcasting into the street?

It isn't. There must be a reasonable expectation of privacy before listen is a problem. Unencrypted radio transmissions have no such expectation. For example, no one would consider that listening to an FM radio broadcast would be a problem. ClearChannel can't come along later and say, "uh, you can't listen to that signal we're beaming through your house!" Of course I can. If you do

"Reasonable expectation of privacy" doesn't really apply because people don't understand the technology. Most of the people using no encryption do in fact expect their communications to be private. I don't think Google's collection was "wrong", especially since it was apparently largely accidental, but a narrow regulation of companies' collection of data might be reasonable. Similarly, people often forget how visible lighted windows make them at night, and while I don't think there should be a sweeping law

Disagree. I think "reasonable" should mean "reasonable to someone who has at least a layman's understanding", and anyone with that is going to understand that radio waves can be picked up at a distance. It shouldn't mean, "reasonable to the most clueless people it's possible to find".

If we let the most clueless among us dictate public policy, that will lead nowhere good. That's how you end up with

Ah, yes, I remember those. Back in the 80s I bought a wide-band
scanning receiver that happened to cover the band used
by car phones. It came
with a separate sheet of paper in the box loudly warning me that I should
never tune to that band because it was illegal (citing the
appropriate legal codes). Of course you can guess which
band I tuned into first.

I was astounded.
Most car phone users acted as if
they had no clue their calls
could be eavesdropped (only once or twice did I hear someone say, "you

IT is simple political vendetta. Some google VP hosted a fundraiser for the Democratic candidate and the newly elected Republicans are out to send a strong message. Whether or not you agree with Google or not, we need to send a strong message to ask the legislators from engaging in such witch hunts. Lesson learned, Google too will donate money anonymously in the next cycle.

IT is simple political vendetta. Some google VP hosted a fundraiser for the Democratic candidate and the newly elected Republicans are out to send a strong message. Whether or not you agree with Google or not, we need to send a strong message to ask the legislators from engaging in such witch hunts. Lesson learned, Google too will donate money anonymously in the next cycle.

The FCC is executive branch. That didn't change hands in the last election and is still controlled by a Democrat president.

Duh, what? The FCC is part of the executive branch. You know, the part of the government that answers to the President. Apart from that, the people elected on November 2nd don't even take office until next year.

Actually, federal law prohibits the unauthorized publication or use of messages intercepted over radio networks. Contrary to popular opinion on Slashdot, "wardriving" is illegal for this reason (among others) in many areas. There is a reasonable expectation of privacy, just as you wouldn't consider having an unlocked door to be an invitation for people to stroll into your living room and take pictures of your stuff.

As for claiming that people can't claim ignorance about Wi-Fi technology...what planet are you living on? You seriously think people are aware of how Wi-Fi works and that they didn't simply go down and buy a cheap Linksys router from Wal-mart and hooked it up according to the little brochure of instructions given to them by their ISPs, unaware that they're broadcasting personal information into the streets? You think they equate the mysterious computer network in their homes to television and radio or that they expect it to have enough range to reach out past the walls of their house?

That's where your analogy to "shouting" falls apart. People shouting are intentionally broadcasting information. People with unencrypted networks are not intentionally broadcasting information and are most likely unaware that they are. Just because they don't know they're doing it doesn't make it okay to exploit that fact. That a major corporation is driving vans around doing just that, and that people are defending said company, is simply amazing. If this was Microsoft or Apple, the tone of the comments would be totally different. Microsoft collecting people's emails and passwords would be a huge scandal around here.

I get that this is Slashdot which means defending everything Google does, but they deserve to be punished as a deterrent and to remind them to be that much more careful handling personal information next time, regardless of how they acquire it. Sometimes, it feels as if people excuse Google's behavior simply because Google uses Linux or works on open source projects or puts out an image that it's an "open" company (okay, so where's the source code for the search engine then?) in order to attract the Slashdot-browsing technical crowd.

I mean, we're talking 600 gigabytes of data here, collected over the span of three years. For three years, they didn't notice they were collecting emails and passwords? If their engineers were so neglectful that they incorrectly configured their data scanners, and their database admins didn't notice they were collecting much more data than they were looking for, then Google should be punished for that incompetence alone. They're handling personal information here. How about a little incentive for them to pay attention?

You guys attack other companies for doing much less than what Google gets away with constantly. By "you guys," I mean the contingent of defenders that have begun to sprung up in every one of these articles, automatically getting +5 Insightful, drowning out criticism of Google. This is a company whose CEO said that only people who have something to hide care about privacy. When is the other shoe going to drop? Why is it okay to have Google browsers running Google searches and browsing Google email while chatting via Google Talk and taking calls on Google phones, archiving and indexing all your information for advertisers? But Microsoft and Apple, they're evil monopolies in their markets and must be stopped!

I get that this is Slashdot which means defending everything Google does, but they deserve to be punished as a deterrent and to remind them to be that much more careful handling personal information next time, regardless of how they acquire it. Sometimes, it feels as if people excuse Google's behavior simply because Google uses Linux or works on open source projects or puts out an image that it's an "open" company (okay, so where's the source code for the search engine then?) in order to attract the Slashdo

The spirit of the law here is to protect peoples privacy, which is not the case when you broadcast the data into the street. Just saying 'but the law says so' doesn't mean shit to me honestly, how the law is interpreted in court is what actually matters, whats written is less important (for bad or good), and most certainly what some random slashdotter whos grumpy because Google exists means very little to anyone.

every use of the term wardriving that i have ever heard was focused on logging the location and type of wireless networks that are being broadcast. what google did involved capture of packets, which is more than just logging the location of a wireless network and calling it wardriving is too over-broad.

Right now they're being investigated because they drove down the street with a microphone and recorded all the idiots shouting out their private info to anyone willing to listen... without special listening equipment!I understand making it illegal for someone to use a laser mic to listen to my private in home conversations. I expect anything that normally would not be heard outside my home to be private.

So what is the line between special and non-special listening equipment?You draw the line at special equ

There is a legal definition for just this sort of thing, which stems from the constitution.

Privacy is about reasonable expectation. If you can (or the general public, not you specifically cause you may be a nutjob:) generally expect privacy and someone does something extra to break your privacy, then they did wrong.

If someone standing on the street just doing his own thing without any special equipment can get your information, it is not private.

There's *actual* crime happening every minute of every day online and this is the target the FCC is wasting its time and resources on?

Come on. Google effed up. They admitted they effed up. There's absolutely no evidence that Google did anything or was planning to do anything with this data and all available evidence points to a mistake rather than anything "evil". And besides, if you don't want your data sniffed, THEN ENCRYPT YOUR STUPID WI-FI CONNECTION!

In the spring Google said that they had collected a vast number of random 200ms snippets of encrypted data. Obviously this will include passwords, e-mail addresses, band account numbers, and anything else you can think of. Google tried not to talk about that aspect of it, but they didn't deny it - how could they. So how is it a revelation that, last month, they were forced to make an official statement of the obvious?

I feel like I've been reading stories about this incident every week since it was first

If I were conspiracy minded, which I'm not, but that's what _they_ want you to think, I would consider that the FCC seems to be a little too close to the cell phone companies, whose territory Google are encroaching on.

Read their justification here:http://www.nlpc.org/stories/2010/11/10/congress-must-investigate-google-obama-ties [nlpc.org]...urging a thorough investigation of both Google Street View and the FTC’s recent conduct during its investigation of the program. Click here for a 6-page pdf of the letter that includes additional background on Google’s extensive and close lobbying connections with the Obama Administration.

What I want to know is why the regulatory bodies of so many countries want to launch their own investigations into this. When has anything been discovered by these investigations that wasn't originally disclosed by Google? It was Google itself that announced to the world that this was going on, although only after Germany asked them about what they recorded. But it seems the only way to safeguard the privacy of the general public is for these government agencies to pick through the data, rather than just de

than a real investigation, given the most-favored-fundraiser status of the Google upper echelon wrt Democrats. Don't get me wrong; other than pitching a fit about the party opposite getting more cash, the GOP obviously doesn't give a care about corporations spying on US citizens either.